The specified fingerprint, '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', does not match the key fingerprint '8540A6F18833A80E9C1653A42FD21310B49F6B46

[griff92]

Describe the bug

When installing the collection on a fresh server I receive this error:
The specified fingerprint, '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', does not match the key fingerprint '8540A6F18833A80E9C1653A42FD21310B49F6B46

When looking at the gpg key on an ubuntu wsl I can see there was a new key created on 29/5 - It appears that the install is defaulting to this key:
`[REDACTED ] $ gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
pub rsa4096 2024-05-29 [SC]
8540A6F18833A80E9C1653A42FD21310B49F6B46
uid nginx signing key [email protected]

pub rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid nginx signing key [email protected]

pub rsa4096 2024-05-29 [SC]
9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
uid nginx signing key [email protected]`

In the code under tasks/keys/setup-keys.yml

I can see the rsa2048 key specified:
- name: (Red Hat/SLES OSs) Add NGINX signing key ansible.builtin.rpm_key: fingerprint: 8540A6F18833A80E9C1653A42FD21310B49F6B46 key: "{{ keysite }}" when: ansible_facts['os_family'] in ['RedHat', 'Suse']

To reproduce

Packer shell provisioner installs the collections:

  "ansible-galaxy collection install community.general && sleep 10",
  "ansible-galaxy collection install ansible.posix && sleep 10",
  "ansible-galaxy collection install nginxinc.nginx_core && sleep 10",
  "ansible-galaxy collection install community.crypto && sleep 10",

Playbook:
`---

• hosts: all
  become: true
  collections:
  • nginxinc.nginx_core
    roles:
  • nginx`

Expected behavior

Install nginx

Your environment

-nginxinc.nginx_core:0.8.0

• community.general:9.0.1
• ansible.posix:1.5.4
• community.crypto:2.20.0

Additional context

This was working before the 29th.
Is there a way to specify the rsa2048key as a var, or does the code need updating with a PR?

Thanks

[griff92]

I have put a work around in place for now by adding an additional ansible provisioner into my packer file to run this:

`---

• name: Add rpm key
  hosts: all
  become: true

  tasks:

  • name: (Red Hat/SLES OSs) Add NGINX signing key
    ansible.builtin.rpm_key:
    fingerprint: "{{ item }}"
    key: https://nginx.org/keys/nginx_signing.key
    loop:
    • 8540A6F18833A80E9C1653A42FD21310B49F6B46
    • 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
    • 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
      `
      Then for the playbook to install nginx i've added --skip-tag nginx_key" so it ignores the bit that was failing.

[wzcwts521]

I'm facing the same issue.

[alessfg]

Heya! The role itself has been updated, but it might take a little while for the collection to be updated. As an alternative to the workaround you mentioned, I would also suggest downloading the latest commit of this role directly :)

[mixman68]

The collection play the keys after prerequisites but it doesn't work on existing installation cuz nginx already part of sources.list, so the keys should be updated before running the prerequisite tasks

[alessfg]

A new version of the role has been released! Whilst the collection has not yet been updated (and it might be a little while until it is), I am going to close this issue for the time being. Feel free to reopen it in the collection repo!